I've been running wg since it was introduced into the kernel without any issues.
local pf.conf: ... pass in on wg0 from (wg0:network) to any match out on wg0 from any to any nat-to (wg0) ... pass out modulate state remote pf.conf: ... pass in on wg0 pass out on wg0 match out on vio0 nat-to (vio0) ... The wireguard tunnel carries a gif tunnel with IPv6 traffic, routes on the VPN via OSPF, and traffic NAT-d from multiple VLANs without issue. Taking a hard look at rule hits using `pfctl -vvsr' can be very useful. Running tcpdump against the wg interfaces and the physical interfaces on both ends has helped me resolve many issues I've had when I've messed something up.
